Policy System Release Deployment Checklist

Walk every form, rate, rule, and class-code change in the release with the responsible product underwriter. Flag any change that touches a filed form (ACORD or proprietary) or a filed rate — those gate on SERFF approval before the cutover, not after.

For prior-approval states, the rate or form change cannot go live before the DOI's stated effective date. Pull each state's filing status and effective date from SERFF and reconcile against the deployment date. File-and-use states still need the filing logged before the rate goes live.

Grant elevated access to PolicyCenter, the integration bus, and the rating engine for the release team only — including any third-party vendor engineers. NYDFS Part 500 §500.7 requires least-privilege and §500.12 requires MFA on every path. Set the access to expire at the end of the maintenance window.

Refresh UAT from a recent production snapshot with NPI scrubbed per the GLBA Safeguards Rule. Run the regression suite — new business quote, bind, endorse, cancel, reinstatement — across at least one auto, package, and workers comp account. A common gotcha: UAT rate tables drift from prod across multiple releases and the regression passes against stale data.

Snapshot the policy admin DB, the claims DB, the document repository, and the rating tables. Confirm restore time against the carrier's RTO. File and claim retention is typically 7 years minimum and longer for workers comp — do not collapse the snapshot retention into a shorter ops window.

Send a 24-hour-ahead notice covering the maintenance window, impact to quote and bind in the producer portal, the AMS download cadence, and the rollback contact. Independent agencies running EZLynx or Applied Epic care most about the bind window — call it out explicitly.

Block new quote and bind transactions in PolicyCenter and the rater at the start of the window. In-flight quotes saved before the cutoff need a re-rate post-deployment — document the cutoff timestamp so producers can identify which quotes to refresh.

Roll out by line of business or state group rather than big-bang. A common pattern: monoline auto first, then commercial package, then workers comp (with NCCI vs. independent-bureau states split). Phased waves contain blast radius if a defect surfaces in one rating territory.

Run a representative transaction in each affected line. Confirm the premium matches the test plan to the cent, the dec page renders, the COI generates if applicable, and the policy posts to the document repository. Pay particular attention to e-mod and schedule mod calculations on workers comp and to surplus-lines tax on E&S quotes.

Capture every off-script action — config tweaks, hotfixes, feature-flag toggles, manual data fixes. The deployment record is discoverable in a market-conduct exam and in any Part 500 audit-trail review under §500.6.

If the smoke test fails, restore from the snapshot taken in pre-deployment and re-enable quote/bind on the prior release. Notify producers immediately — a silent rollback is worse than the original outage because in-flight transactions may have been priced on the failed release.

Issue a test-flagged new business policy through the producer portal. Confirm the dec page, ACORD 25 COI generation, premium installment setup, and the AMS download to Applied Epic or AMS360. A broken AMS download shows up as producers manually re-keying — catch it on day one.

Check the feeds to the GL, ClaimCenter, the reinsurance bordereaux, NCCI / state bureau reporting, OFAC screening, and the document destruction vendor's intake. A broken bordereau feed surfaces weeks later as a treaty dispute with the reinsurer; an OFAC feed gap creates payment-screening exposure.

If any integration is red, stand up a bridge with the GL, claims, reinsurance, and bureau reporting owners. Note: a Part 500 §500.17 cybersecurity event notification to NYDFS is a separate determination — escalate to the CISO if the failure looks like an unauthorized access path rather than a functional break.

Watch the producer help desk queue and the internal CSR channel for the first business day. Common day-one issues: rating drift on multi-state risks, missing endorsement language on the renewal proposal, ACORD 25 template formatting, e-mod application on workers comp.

Scan PolicyCenter logs, the rater's calculation traces, and the WAF for spikes in errors or unauthorized-access alerts. NYDFS Part 500 §500.6 requires audit-trail retention and review — the post-deployment scan is a natural checkpoint to satisfy it.

Finalize the change ticket, archive the deployment artifacts, and update the runbook with anything learned. Store per the carrier's retention policy — minimum 7 years for anything that touches policy or claim records.

NYDFS Part 500 §500.12 requires MFA on every external access path to internal networks — including third-party vendor VPN and break-glass admin accounts. Verify the release did not introduce a new admin endpoint that bypasses MFA.

Confirm TLS 1.2+ on every endpoint and at-rest encryption on the policy DB, document repository, and any new caches the release introduced. Required by both the GLBA Safeguards Rule and Part 500 §500.15. New caches and ephemeral S3 buckets are the most common gap.

Pull the elevated access granted in pre-deployment. Disable vendor accounts, rotate any break-glass credentials, and confirm the access expirations actually fired. Lingering vendor access is a recurring market-conduct and Part 500 audit finding.

Book the penetration test or vulnerability scan within the cadence required by Part 500 §500.5 — annual pen test, biennial risk assessment as a floor. Material releases (new product, new vendor, architecture change) trigger an interim assessment regardless of the cadence.

The compliance officer reviews the deployment record, change tickets, SERFF approval evidence, and security validation artifacts. Sign-off is captured in the change record and retained alongside the deployment file.